This notice is to advise all Joyent Public Cloud (JPC) and SmartDataCenter (SDC) customers of the recently-identified bash security vulnerability CVE-2014-6271 (http://seclists.org/oss-sec/2014/q3/649) and the follow-on CVE-2014-7169 (https://access.redhat.com/security/cve/CVE-2014-7169), collectively known as Shellshock.
Note that CVE-2014-7169 has arisen due to incomplete fixes created for the CVE-2014-6271 vulnerability. (These fixes are created by the upstream maintainers of bash, not by Joyent.)
[UPDATED Tues Oct 2 2:54am UTC 2014]
AT THIS TIME, JOYENT has patched the platform bash addressing CVE-2014-6271 as well as CVE-2014-7169 in the Joyent Public Cloud. Updates to pkgsrc bash are also now available in SmartOS pkgsrc repositories (please read details below under "Joyent Public Cloud").
SmartDataCenter customers should have received a notification by ZenDesk ticket with further instructions.
The impact of these vulnerabilities is as follows:
Joyent Public Cloud
Joyent has applied a patch to the underlying platform of all our servers to address this bug. Users of many SmartOS VMs will NOT need to take any action. If the command: which bash returns "/usr/bin/bash", no action is required on your part.
- Joyent has updated bash in pkgsrc. Please note some older pkgrsc repositories either do not contain bash or will not be patched due the their age, see the table below for details. The package that includes the fix to both CVE-2014-6271 & CVE-2014-7169 is called "bash-4.3.025nb2". If the command: which bash returns "/opt/local/bin/bash" you will need to either update the pkgsrc provided bash by running: "pkgin -f up && pkgin in bash" or remove the pkgsrc version via "pkgin rm bash". The latter command will remove the pkgsrc version and the machine will fall back to the patched platform provided version.
- Users of Linux VMs on Joyent's Public Cloud will need to apply the necessary updates, based on the distribution they are using. Please follow the appropriate link below:
|Pkgsrc Repo||Status||User Action Required|
|2010Q4||Bash not in Repo||None|
|2011Q1||Wont be patched||Remove bash. See below|
|2011Q2||Wont be patched||Remove bash. See below|
|2011Q3||Wont be patched||Remove bash. See below|
|2011Q4||Wont be patched||Remove bash. See below|
|2012Q2||Wont be patched||Remove bash. See below|
|2012Q3||Wont be patched||Remove bash. See below|
|2012Q4 and later||Patch applied||Re-install Bash. See below|
1. Check if any users are set to use pkgsrc bash
getent passwd | grep /opt/local/bin/bash
2. If you have users with pkgsrc bash as their shell, change it to /usr/bin/bash
usermod -s /usr/bin/bash <login>
3. Remove pkgsrc bash
pkgin rm bash
pkgin -f up && pkgin in bash
- Both a hot-fix service and new platform image (for SDC 7 only) are now available to enable customers to update their SDC installations. Action will be required by customers to apply these fixes. Instructions for applying the hot-fix (for both SDC 6 and SDC 7) as well as applying the latest platform image for SDC 7 have been sent by ZenDesk to SDC customers. If you have NOT received instructions, you can open a support ticket at https://help.joyent.com or by email to email@example.com to request the link and instructions.
- SmartDataCenter customers will need to advise their end users of this vulnerability, and advise them of any actions their end users will need to take. We will follow up with additional details as they are available.